[go: up one dir, main page]
Scribd
Upload
170 views4 pages

Verifying Signatures - KeePassXC

This document explains how to verify the authenticity and integrity of downloads of the KeePassXC password manager software. It describes downloading signature files along with the installation packages and using GPG keys and checksums to validate that the downloads are unmodified and originated from the official KeePassXC developers. Instructions are provided for importing the developers' public key, checking package hashes against digest files, and verifying detached signatures with the GPG key to ensure the downloads are legitimate.

Uploaded by

Anon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
170 views4 pages

Verifying Signatures - KeePassXC

This document explains how to verify the authenticity and integrity of downloads of the KeePassXC password manager software. It describes downloading signature files along with the installation packages and using GPG keys and checksums to validate that the downloads are unmodified and originated from the official KeePassXC developers. Instructions are provided for importing the developers' public key, checking package hashes against digest files, and verifying detached signatures with the GPG key to ensure the downloads are legitimate.

Uploaded by

Anon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Verifying Signatures - KeePassXC https://keepassxc.

org/verifying-signatures

Verifying Signatures

By verifying the signatures of KeePassXC releases, you can prove the authenticity and
integrity of the downloaded file. This guarantees that the file you just downloaded was
originally created by the KeePassXC Team and that its contents haven't been tampered with
on the way.

A more detailed explanation is available in the Qubes-OS project documentation


(https://www.qubes-os.org/doc/verifying-signatures/).

Download Options
Every KeePassXC release is published in a variety of package formats:

a *.dmg drag-and-drop installer for macOS


an *.exe installer and a *.zip archive with binaries for Windows
a self-contained executable *.AppImage for GNU/Linux.
a *.tar.xz source tarball

You will need to download one of these to install on your machine.

Each of these package files has two related sidecar files, a *.DIGEST and a *.sig. We explain
how to use these below.

Basic integrity check


The *.DIGEST file can be used to check your package downloaded correctly, with the
following command:
cd to directory where file is first, or you will get a “file could not be read” error
$ shasum -a 256 -c KeePassXC-$VERSION-x86_64.AppImage.DIGEST
KeePassXC-$VERSION-x86_64.AppImage: OK

1 of 4 1/6/18, 9:28 PM
Verifying Signatures - KeePassXC https://keepassxc.org/verifying-signatures

The shasum program recalculates the SHA-256 hash digest of the package file and
compares it with the value in the .DIGEST file. If they match, this shows the package was
downloaded without errors.

Checking integrity and authenticity


A more thorough check can be made using the *.sig sidecar file. This contains a GPG signature
created with one of our release keys. Signing the installable file with any other key will give a
different signature, so you can use the signature and our public key to check the package file
really came from us.

Importing the Public Master Key


We will use the gpg program to check the signatures. Before you can do that you need to
tell gpg about our public key, by importing it.

The KeePassXC public key can be retrieved in any of the ways shown below:

From a specific keyserver

gpg --keyserver pool.sks-keyservers.net --recv-keys 0xBF5A669F2272CF4324C1FDA8CFB4C2166


397D0D2

Manual download from our website (https://keepassxc.org


/keepassxc_master_signing_key.asc) and import with gpg

gpg --import ./keepassxc_master_signing_key.asc

Fetch via gpg

gpg --fetch-keys https://keepassxc.org/keepassxc_master_signing_key.asc

Manual download from the KeePassXC website repository (https://github.com


/keepassxreboot/keepassxreboot.github.io/blob/master
/keepassxc_master_signing_key.asc) and import with gpg

gpg --import ./keepassxc_master_signing_key.asc

2 of 4 1/6/18, 9:28 PM
Verifying Signatures - KeePassXC https://keepassxc.org/verifying-signatures

These are the fingerprints of the master key and the current signing sub keys:

pub rsa4096/CFB4C2166397D0D2 2017-01-03 [SC]


Key fingerprint = BF5A 669F 2272 CF43 24C1 FDA8 CFB4 C216 6397 D0D2
uid [ unknown ] KeePassXC Release <release@keepassxc.org>
sub rsa2048/AFF235EEFB5A2517 2017-01-03 [S] [expires: 2019-01-03]
sub rsa2048/D8538E98A26FD9C4 2017-01-03 [S] [expires: 2019-01-03]
sub rsa2048/B7A66F03B59076A8 2017-01-03 [S] [expires: 2019-01-03]

Notice that we have a master key and some sub keys. The actual signatures are created with
one of the sub keys. As the naming implies, they are closely related to one another - importing
the master GPG key is sufficient for verifying signatures made with any of its sub keys.

Once you have imported the key, you can decide whether you want to mark it as trusted. This
is not strictly necessary for the checks we are making here. For more information, see the
Qubes-OS project documentation (https://www.qubes-os.org/doc/verifying-signatures/).

Verifying Releases
You can verify the authenticity and integrity of a downloaded package from its detached
signature by running the following command:

$ gpg --verify KeePassXC-$VERSION-x86_64.AppImage.sig


gpg: assuming signed data in 'KeePassXC-$VERSION-x86_64.AppImage'
gpg: Signature made Fri 17 Feb 2017 05:20:55 PM CET
gpg: using RSA key C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8
gpg: Good signature from "KeePassXC Release <release@keepassxc.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BF5A 669F 2272 CF43 24C1 FDA8 CFB4 C216 6397 D0D2
Subkey fingerprint: C1E4 CBA3 AD78 D3AF D894 F9E0 B7A6 6F03 B590 76A8

You want to see that "Good signature" line. It shows the .sig file must have been created from
the AppImage file by the sub key with the fingerprint
C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8 .

The warning is there because in this example we have not taken the extra step of trusting that
key.

Verification fails!

3 of 4 1/6/18, 9:28 PM
Verifying Signatures - KeePassXC https://keepassxc.org/verifying-signatures

Don't install the package. First, try downloading again and rechecking. If it is still not
working, please let us know about the problem by opening an issue (https://github.com
/keepassxreboot/keepassxc/issues).

4 of 4 1/6/18, 9:28 PM

You might also like